Easy prey: BEC fraud at an industrial scale

Neil Meikle
September 2020
Part two in our series on business email compromise

Business email compromise (BEC) is a widespread and costly type of cyber attack that has surged in recent years. In this regular, bite-sized series, we look at the scale of the problem, the rapid rise in account takeover attacks on the Microsoft 365 platform, how investigations of these attacks are changing, and what all of this means to businesses, their cyber insurers and their legal representatives.

The previous article in this series is Why the fast-mutating BEC fraud is as common and costly as ever and the next article is Seven critical steps to avoid business email compromise.

In the last article I introduced BEC fraud and described the huge financial impact it continues to have. I gave the illustrative example of CEO impersonation, which is relatively well-known (having been around for many years) and often uses the tried-and-tested techniques of social engineering and phishing (which are still surprisingly effective). But in this article, I want to shift the focus to a type of account takeover attack that doesn’t rely on faked emails or a con artist with a convincing message. In fact, it doesn’t require any human interaction at all, which makes the usual defences - such as improved staff training and awareness - much less potent. It’s a weakness in the way that many organisations have configured their Microsoft 365 environment, which means that a threat actor only needs to do one thing to gain control of an account: guess a password.

Unrelenting attack

How many organisations are inadvertently walking around with the cyber equivalent of a giant email compromise target on their back? Answer: it’s a lot more than you think, and it’s a lot more than I ever imagined (and I deal with these cases on a fairly regular basis). The numbers are pretty horrifying, especially when you think about the disproportionate amount of pain caused by a single account takeover attack, the precursor to fraud attempts and data breaches.

Microsoft painted a stark and illuminating picture of the scale of the account takeover problem during a session at the RSA Conference 2020. (The recording is no longer available to view on the RSA Conference website, but at the time of writing you can still find it on YouTube.) It was revealed that every month around 0.5% of Microsoft 365’s enterprise accounts were compromised (which equated to more than 1.2 million accounts in January 2020 alone). This is not a new trend: the threat level has been rising for years. Microsoft explained that they had seen “around a 3,000% increase in attack rate in our systems in the last three years”. A separate article from Microsoft disclosed that there are more than 300 million fraudulent sign-in attempts on their cloud services every day.

Survival of the fittest

These are dizzying numbers, and if all users were equally at risk we could expect half of the entire enterprise user base of Microsoft 365 to be compromised within the next decade. But of course that isn’t how it works. Some customers are significantly more at risk than others, and these differences prove to be critical. In the natural world, some members of a group are less likely to be attacked and have a better chance of survival than the others – they might be faster, or more alert, or maybe they know something that everyone else doesn’t. The same is true for companies and their odds of experiencing and surviving a cyber attack.

We can break this down into “exposure” and “controls”. Companies that regularly carry out fund transfers (particularly those involving large invoices, holding funds, and transfers to high risk jurisdictions) have greater exposure because they are more attractive targets. Their risk will always be higher than companies that don’t make large or frequent payments. It doesn’t matter how fast they can run, the lion will always want to eat them.

However, organisations are directly in charge of the controls they put in place. Some policy decisions and technical measures are more effective, some security postures are better than others, and it is the weakest companies that are often picked off first. When Asceris prepare a proactive risk assessment report for a client's Microsoft 365 environment, there are two controls in particular that jump out. Using my previous analogy, they separate the herd from the ones who are too slow to escape from pursuing predators.

“…any being, if it vary however slightly in any manner profitable to itself, under the complex and sometimes varying conditions of life, will have a better chance of surviving and thus be naturally selected”

Charles Darwin, On the Origin of Species by Means of Natural Selection, 1859

Brute force, and the Achilles' heel of Microsoft 365 security

Just one catastrophic weakness in cyber security can create trouble for any organisation, even if cyber defences are generally strong. This brings us to a vulnerability that a surprisingly large number of companies seem content to live with. Despite the serious risk they pose, many organisations are failing to block legacy authentication protocols (also referred to as basic authentication) such as POP3, IMAP and SMTP. This is one of the biggest red flags in our BEC investigations: any events we see using this type of protocol attract a hefty risk score and are almost always investigated further.

One of the problems that organisations face when they support legacy authentication is that all the attacker needs to compromise the account is a username and password. Even if multi-factor authentication (MFA) is enabled and enforced for the user, that support for legacy authentication means that MFA doesn’t have to be used at all when connecting over these protocols. Threat actors can use leaked credentials, or repeatedly attempt brute force attacks until they gain access.

The statistics for two common attack techniques speak for themselves. Password spraying is a type of brute force attack that uses a small number of frequently used passwords against a large number of accounts. They are effective because the attacker is playing the numbers game: some very common passwords can be guessed correctly if you’re targeting a sufficiently large number of accounts. A Microsoft article from September 2019 indicated that on some days there are hundreds of thousands of these breaches. There is a very strong correlation with legacy authentication: Microsoft found that 99.7% of password spray attacks used these protocols. Credential stuffing attacks (also known as breach replay attacks) are slightly different: they use passwords and usernames that have previously been leaked in previous breaches against new sites and services. Microsoft has noted that more than 20 million cloud-based Azure Active Directory accounts are probed automatically every day. And again, legacy authentication is a key factor: more than 97% of these replay attacks on Microsoft 365 use legacy protocols.

I mentioned earlier that legacy authentication connections are significant in BEC investigations, and there is another important reason for this. Once threat actors have gained access to a mailbox, these protocols can be used to download a full copy of the user’s emails (all of them). So unless we see evidence to the contrary, the presence of one of these connections forces us to assume that a data breach of the entire mailbox has occurred. This can result in significant costs, because typically the messages and documents need to be reviewed for potential breaches of data privacy.

Why the hesitation?

Given the danger posed, why don’t all organisations just disable legacy authentication immediately? There are a few reasons for this. A major issue can be the cost and complexity of updating applications that rely on legacy authentication. In many cases organisations don’t even know which applications rely on legacy authentication, and it takes time and effort to understand usage patterns, re-write custom applications, and then block the protocols in a staged rollout that limits the risk of critical systems falling over. (Microsoft’s session at the RSA Conference 2020 provides a useful insight into the challenges involved.) Finally, a lack of sponsorship and buy-in can mean that these critical changes ultimately fall by the wayside from an organisation’s long list of priorities. However, it’s worth noting that Microsoft will ultimately block all legacy authentication connections, so organisations will need to carry out this work at some stage. It’s a question of “when”, not “if”.

A password away from disaster

Another key predictor of whether an organisation will be successfully attacked is whether it is among the relatively small group of businesses who have enabled MFA. It’s our top recommendation for how companies can reduce their risk of account takeover, followed in second place by turning off that insecure legacy authentication. It’s only when both of these simple security measures are implemented that a threat actor needs to do more than simply guess a password to take over an account. Businesses that put them in place can immediately jump ahead of their fellow Microsoft 365 users who remain blissfully (but dangerously) unaware of the very real danger they are in.

Coming up next

In the next part of this series, we present our full checklist of actions that organisations should implement as a priority to minimise their exposure to cloud-based business email compromise attacks.

Find out more

Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.

If you are the target of an active business email compromise attack, please request emergency assistance immediately.

Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Neil Meikle
LinkedInenvelope by Bluetip Design from the Noun Project
Neil is Asceris' Chief Technology Officer. Over the last 19 years, he has delivered a variety of large multi-jurisdictional investigations and has spoken frequently at conferences on technology-related subjects. He maintains deep hands-on expertise in a wide range of technical subjects including digital forensics, cyber incident response, forensic data analytics, machine learning and artificial intelligence.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights